The United States has reportedly managed to develop a method that allows it to permanently embed surveillance and malware tools in computers and networks around the world, according to Kaspersky Lab, a Russian cybersecurity firm.
Kaspersky presented its research at a conference in Mexico Monday night. They have dubbed the creators of this technique the “Equation Group,” and have broadly hinted that it is tied to the U.S National Security Agency and its military partner, United States Cyber Command, due in part to a similarity between Stuxnet – the computer worm that disabled about 1,000 centrifuges in Iran’s nuclear enrichment program – and the new malware platform.
But the Equation’s level of sophistication makes Stuxnet seem like child play, according to Kaspersky’s report.
The new malware/spyware has been found primarily on computers in Iran, Pakistan and Russia. It is apparently capable of infecting a computer’s firmware, which renders it invulnerable to existing antivirus products and most security controls – and virtually impossible to purge from an infected system. Being able to infect firmware is as close as anyone has ever gotten to infecting hardware itself – the holy grail for many cybercriminals.
Among other routines, the new infection provides the ability to grab the encryption keys off a machine and decrypt protected files and documents. The tools can also run on computers that are disconnected from the Internet, which makes them well-suited for accessing systems that handle critical processes.
Equation has apparently been active for almost two decades, beginning in 1996 and swinging into full action in 2008, the year it developed several exceptionally powerful suites of cyberweapons which Kaspersky has named Equationdrug, Doublefantasy, Triplefantasy, Grayfish, Fanny and Equationlaser.
An add-on module enables Equationdrug and Grayfish to perform some of the most advanced processes attributed to the malware platforms: Equation can reprogram the firmware of hard drives built by all major manufacturers, including Maxtor, Seagate, Western Digital and Samsung. This enables an infection to survive even if the disk has been formatted and the OS has been reinstalled.
Kaspersky said infected machines have been spotted in 30 countries, including Iran, Russia, Syria, Afghanistan, Hong Kong, Mexico, United States, France, Switzerland, United Kingdom and India. Targets included government and military institutions, telecom companies, banks, energy companies, nuclear researchers, media, and Islamic leaders. Most of the infected machines are servers. It seems that the malware has potentially been programmed to avoid infecting computers in Jordan, Turkey and Egypt.
Kaspersky analysts found more than 300 domains connected with Equation. Some were set to expire, so Kaspersky re-registered a couple dozen of them. The Kaspersky report provides a deep dive into the findings, as well as ways to test for the presence of the infection on computers. Well worth a read.
Should your organization need assistance in testing for the presence of this or any other malware, please contact BAI Security. Our BAI Security Assessments utilize consistently proven (repeatable) methodology and established industry best-practices to gauge the security of your network ecosystem. We can work with you to develop a risk-based security plan geared to the needs of your business.